BleepingComputer.com: Mozilla infected with Google redirect spyware

This thread is very similar to a current thread right now, but I have some different symptoms and instead of searching the internet for other peoples' solutions, I came here to seek a personal diagnostic.

My homepage loads, and tabs don't appear when I click google results. Instead, the page is redirected to a malicious one in the same tab, making browsing tedious and inconvenient. On the chance that a page does load, it is much slower than normal. Internet Explorer 6 is unaffected.

GMER also had crashed my computer numerous times, so I will not be posting a log of it.


DDS (Ver_10-11-10.01) - NTFSx86
Run by Paul Brackenbury at 7:52:25.17 on 2010/11/23
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Home Edition 5.1.2600.2.932.81.1033.18.1918.1400 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\conime.exe
C:\Documents and Settings\Paul Brackenbury\Local Settings\Temporary Internet Files\Content.IE5\2FSNO123\dds[1].scr

============== Pseudo HJT Report ===============

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [DAEMON Tools Net Agent] "c:\program files\daemon tools net\DTAgent.exe" -autorun
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
dRun: [UO8KTAT1GY] c:\windows\temp\Ikl.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
LSP: %SYSTEMROOT%\system32\nvLsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\paulbr~1\applic~1\mozilla\firefox\profiles\njjypxup.default\
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R1 dtcdrom;dtcdrom;c:\windows\system32\drivers\dtcdrom.sys [2010-10-10 201280]
R3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2010-11-23 16968]
S2 DTNetService;DTNetService;c:\program files\daemon tools net\DTNetSrv.exe [2010-7-29 394560]
S2 PEVSystemStart;PEVSystemStart;c:\combofix\PEV.cfxxe [2010-11-23 256512]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-11-23 38224]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]

=============== Created Last 30 ================

2010-11-23 12:15:50 -------- d-----w- c:\docume~1\paulbr~1\applic~1\Malwarebytes
2010-11-23 12:15:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-23 12:15:44 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-23 12:15:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-23 12:15:44 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2010-11-23 12:06:42 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-11-23 11:57:37 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-11-23 11:55:57 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-11-23 11:55:57 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Hitman Pro
2010-11-23 11:37:59 -------- d-sha-r- C:\cmdcons
2010-11-23 11:33:52 98816 ----a-w- c:\windows\sed.exe
2010-11-23 11:33:52 89088 ----a-w- c:\windows\MBR.exe
2010-11-23 11:33:52 256512 ----a-w- c:\windows\PEV.exe
2010-11-23 11:33:52 161792 ----a-w- c:\windows\SWREG.exe
2010-11-23 11:33:45 -------- d-s---w- C:\ComboFix
2010-11-23 11:06:45 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-11-23 11:06:45 -------- d-----w- c:\windows\system32\wbem\Repository
2010-11-23 10:37:31 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Sony(2)
2010-11-23 10:20:24 -------- d-----w- c:\docume~1\paulbr~1\locals~1\applic~1\Sony
2010-11-23 03:33:25 -------- d-----w- c:\program files\Sony
2010-11-23 03:32:41 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-11-23 03:32:10 -------- d-----w- C:\74a17fa8c0c623c9b32d6b5464
2010-11-23 03:19:34 27648 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-11-23 03:19:26 14048 ------w- c:\windows\system32\spmsg2.dll
2010-11-23 03:19:23 -------- d-----w- C:\9bdc19eb9539e0f44ff2f0ad
2010-11-23 03:07:19 -------- d-s---w- c:\documents and settings\paul brackenbury\UserData
2010-11-23 03:05:38 122368 --sha-r- c:\windows\system32\msimsg0.exe
2010-11-08 08:14:47 -------- d-----r- c:\program files\Skype

==================== Find3M ====================

2010-10-13 21:53:05 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-13 21:53:05 472808 ----a-w- c:\windows\system32\deployJava1.dll

============= FINISH: 7:52:51.57 ===============

 Attach.txt (7.68K)
Number of downloads: 0

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.scr
    
  • DDS.pif
  
  
• Double click on the DDS icon, allow it to run.
  
• A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  
• Notepad will open with the results.
  
• Follow the instructions that pop up for posting the results.
  
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:



Thanks.

DR

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.